Re: big security questions the deny access guy return

["John R. Morris" <jrmorris () nerdality com>]

Carlos Garcia wrote:

> Well am a newbie in this area, but it seems that i have created a really
> revolution in the list with my deny access question well as far as i 
> could
> see you are a great folks that really want to help well i have a lot 
> of question about security so i really need your help

Sure, I'll try to help.

> first of all i want to change the services that run in our network i 
> have red hat running in 3 servers one server have the dns1 the other 
> have the dns2 webmail and mail the third one have squid for cache and 
> proxy and an iptables based firewall the last one have the webmail 
> running with zeus on irix so i really wan to make this servers with 
> new services and as secure as posible so first question
>
> about dns what bind do you recomend and how can i protect it i would 
> like to install snort to see if somebody is trying to attack in my 
> server so should i use bind 8 or bind 9 and should i use a chrooted 
> schema or not? what other security risk do i have to address?
Putting bind in a chrooted jail is a good idea. As for versions, use the 
latest:
http://ww.isc.org/
Either Bind 9.24 or 9.30 (I recommend 9.24 unless you need the new 
features from 9.30)

Here's a how-to on running Bind under Linux in a chrooted Jail:
http://www.linux.com/howtos/Chroot-BIND-HOWTO.shtml

And some good configuration options for securing BIND servers:
http://www.uk-dave.com/tutorials/linux/bind.shtml
http://langfeldt.net/DNS-HOWTO/BIND-9/DNS-HOWTO-6.html
http://www.boran.com/security/sp/bind9_20010430.html

Those should give you some ideas as to how best to implement DNS 
securely at your site, Google can of course turn up many more tutorials 
and information should those prove insufficient.

> about mail i was thinking in using postfix in place of sendmail is 
> this a good idea? for gathering mail i was thinking in cyrus-imap and 
> authentication tools but what would recomend me?
Postfix is easier to administer & configure and has less of a troubled 
past security-wise than Sendmail. I cut my teeth on Sendmail, and I'm so 
deeply accustomed to writing m4 macros for it now that I haven't really 
made the switch, but if you aren't heavily invested in using Sendmail 
for any reason, it's probably a saner and better choice.

Again, Cyrus-IMAP is good, and puts a lot more effort in my opinion into 
large scalability issues than UW's implementation, however I prefer UW. 
Either one, coupled with TLS/SSL for auth all around (both for IMAP and 
on the MTA side, SMTP+Auth to send is good). Don't forget to add in 
things Clam AV http://www.clamav.net/ and Spam Assassin, 
http://spamassassin.apache.org/, grab Procmail while you're at it, too, 
if it's not included by default, some users just won't feel at home 
without it.

> should i use snor in every server or just one ?
> iptables are good enough? and i have a lot more question but can we 
> start with this ones? oh a last one somebody of the list says that it 
> is not a good idea to use the router as firewall is this write? why?
Using snort on every server seems entirely excessive to me. Having snort 
in place on a SPAN port on it's own server as a central NIDS seems much 
more effective than using a bunch of instantiations of snort on each 
host for HIDS. Instead I think it's preferable to use the available 
IPtables, TCPWrappers, Inetd/Xinetd and so on to secure the box as much 
as possible from remote access, turn off unneeded services, and then 
make use of things like tripwire to keep an eye on the local files and 
so on.

Definitely consider having a central syslog server and logging from all 
your hosts to there, as well as from your routers & switches. Lire is a 
great companion to syslog (and other logs as well, like Apache):
http://logreport.org/

Finally, as I was the one (or one of the ones) who said not to use your 
router as a firewall, I will elaborate a bit:
Routers should have ACL rules in place to prevent bogus traffic (RFC 
1918 addresses, etc), spoofed addresses pretending to be from your 
network, etc. That's usually referred to as ingress/egress filtering. In 
addition, it can also effectively be used to limit some protocols to the 
LAN or to a given VLAN if desired.
Since routers do not in their pure form do any stateful inspection of 
packets, blocking things in ACL, like high numbered ports is not a good 
thing to do. A router that does stateful packet inspection has in 
reality become a firewall as well, and the objection is no longer valid.
Here are some references explaining all of this in more detail, and 
better than I could:
http://www.networkclue.com/routing/Firewalls/breakdown.php
http://securitypronews.com/2002/0214.html
http://www.security.fsu.edu/firewall.cfm

Essentially, yes, you can filter on the router, but it's mostly not 
stateful (doesn't keep track of the connection state), excepting things 
like reflexive ACLs. This brings up 2 major issues, 1 is that it is 
easier to get through a router's ACLs than a full-on firewall, and 2, 
improper attempts to use a router as a firewall can lead to random 
network problems.

Example, you block incoming Windows RDP(TCP 3389). Someday you ssh in to 
a server of yours and your client grabs 3389 (it's higher than 1024 so 
it's usually not bound unless that host is already using it) to talk on, 
and voila! you router starts dropping your packets. Now instead of you, 
imagine it's one of your users, who then complains and has you spend 
time figuring out why the network is broken. That's my understanding of 
the issues.
So stateless router ACL is limited to services on ports below 1024, and 
of less total effectiveness and usefulness than a full on IPtables 
firewall (or PIX, or Checkpoint, etc).


Other than that, my personal preference is to use Debian over Redhat. In 
any case, make sure all your hosts keep up to date on patches. Irix is 
quite a nice Unix, but inst is not my favorite package manager, whether 
you can switch to running a Linux server instead is up to you.

HTH.

Regards,
John